In BNU,
the Permissions file replaces both the Version
2 USERFILE and L.cmds
files. Permissions provides additional protection
and finer control over the UUCP system. A second
file called remote.unknown
controls whether or not an unknown system (that is, one not listed
in your Systems file) can log in (assuming
that the remote system knows a valid UUCP login
name and password).

When uucico starts, it scans the Permissions
file to determine which commands the remote machine can execute
and which files can be accessed.

When uucicio
calls another system, it looks for a block of commands containing
a MACHINE=system statement, where system
is the name of the machine that it is calling. For example, if you
are calling the machine idr, it looks for a line in the form:

MACHINE=idr

When uucico
is started by another computer logging in to your local machine,
uucico looks for a block of commands containing
a LOGNAME=loginname, where loginname
is the username with which the remote computer has logged in. For
example, if the remote computer has logged in with the username
Uidr, the uucico running
on your computer looks for a block of commands with a line containing
this statement:

LOGNAME=Uidr

Other
commands in the command block specify what the remote machine can
do:

This Permissions file gives the machine
garp permission to read and write files in
the /usr/spool/uucppublic directory. It also
allows any remote computer logging in with the UUCP
login Ugarp to read and write files from those
directories.

This command allows the machine garp
to read or write any file in /usr/spool/uucppublic,
but only when the machine garp logs into your
computer using the uucp login Ugarp.
Notice in this example that the backslash (\) character
is used to continue the entry on the following line. To include
a
comment, begin a line
with a hash mark (#).

The
REQUEST=yes
name-value pair allows garp to request files
from your machine. The SENDFILES=yes pair allows
you to send files to garp even when it initiates
the call to you.

If you assign a unique login ID for
each UUCP system with which you communicate,
then LOGNAME= and MACHINE=
can each be thought of as controlling one direction of the file
transfer operation. But if the same login ID is shared by several
UUCP systems, they will all be covered by the
same LOGNAME= entry when they call you, even
though they will each be covered by their own MACHINE=
entry when you call them.

BNUUUCP has 13 different commands that can be included
in the Permissions file. These commands help
provide the flexibility that BNU allows over
UUCP connections. These commands are placed in
the same command block as the MACHINE= and LOGNAME=
commands described above. You can specify as many commands in a
block as you wish.

A MACHINE=
entry in the Permissions file is used when
a specific remote site is contacted by the local computer. Specify
a MACHINE= OTHER entry to define a Permissions
entry for any machine that is not explicitly referenced.

For
example:

# Setup for when we call garp
MACHINE=garp

LOGNAME=
is used when a remote site logs in with a specific login name. Each
UUCP login name should appear in only one LOGNAME
entry.

For example:

# Setup login for when garp calls
LOGNAME=Ugarp

You can specify a LOGNAME=OTHER
entry to define a Permissions entry for any
machine that is not explicitly referenced.

For example:

# Setup login for everybody else
LOGNAME=OTHER

REQUEST=
specifies whether the remote system can request file transfers with
your computer. The default is "no," which means
that files can be transferred only if the uucp
command is issued on your computer.

For example:

# Let garp request files
MACHINE=garp LOGNAME=Ugarp REQUEST=YES

SENDFILES= specifies whether files
that are queued on the local system should be sent to the calling
system when it contacts the local system. The default is "call,"
which means "no, don't send any queued files when
the other computer calls me; hold the files until I call the other
computer." The reason for this option is that you are more
sure of the identity of a remote computer when you call
it than when it calls you. If you
set this entry to "yes," all of the queued files
will be sent whenever the remote system calls you, or when you call
it, whichever happens first. This option makes sense only with the
LOGNAME entries. If this option is used with
a MACHINE entry, it is ignored.

For
example:

# Send files to garp when it calls us
LOGNAME=Ugarp SENDFILES=YES

PUBDIR= allows you to specify directories
for public access. The default is /usr/spool/uucppublic.

NOREAD= and NOWRITE=
specify directories that uucico may not read
to or write from, even if those directories are included in a READ
or a WRITE command. You might want to use the
NOREAD and NOWRITE directives
to exclude directories like /etc and /usr/lib/uucp,
so that there is no way that people on machines connected to yours
via UUCP can read files like /etc/passwd
and /usr/lib/uucp/Systems.

CALLBACK=specifies whether or not the local system must call back
the calling system before file transfer can occur. The default is
"no." CALLBACK enhances security
in some environments. Normally, it is possible with UUCP
for one machine to masquerade as another. If you call a remote machine,
however, it is unlikely that such a masquerade is taking place.
CALLBACK is also useful for situations where
one computer is equipped with a low-cost, long-distance telephone
line, so that the majority of the call will be billed at the lower
rate. The CALLBACK command makes sense only for
LOGNAME entries. If two sites have CALLBACK=yes
specified for each other, the machines will continually call back
and forth, but no data will be transferred.

COMMANDS= specifies commands that the
remote system can execute on the local computer. When uuxqt
executes a command, it searches the Permissions
file for the MACHINE= entry associated with the
particular system from which the commands were sent. The MACHINE=
entry is the one that is used, even if the uucico
connection was originated by the remote machine and a different
LOGNAME= entry is being used.

The
default value for COMMANDS is compiled into your
version of uuxqt; if you have source code,
it is defined in the file params.h. The COMMANDS=
entry often has the single form:

COMMANDS=rmail

You
can specify a full pathname:

COMMANDS=rmail:/usr/bin/rnews:/usr/ucb/lpr

You can specify the value ALL, which allows
any command to be executed:

COMMANDS=ALL

You probably
don't want to specify ALL unless you
have complete control over all of the machines that you connect
to with UUCP.

VALIDATE=
is used with a LOGNAME entry to provide a small
additional degree of security. Specifying a machine name (or many
machine names) in the VALIDATE= entry will allow
that UUCP login to be used only by those machines.

For example:

# Let's be sure about garp
LOGNAME=Ugarp VALIDATE=garp

This command prevents
any UUCP computer other than garp
from using the Ugarp login. Of course, anybody
interested in using UUCP to break into your computer
could as easily change their UUCP name to be
garp, so this command really doesn't
provide very much security.

MYNAME= can be used to change the
UUCP name of your computer when it initiates
a UUCP connection. This command is useful for
testing. It is also helpful when you use a generic name for your
site, but it is not the same as your UUCP machine.
For example:

Got that? You can make your computer have any UUCP
name that you want! Anybody else can do this as well,
so be careful if you let any machine execute
commands (specified in the COMMANDS= entry) that
might be considered potentially unsafe (e.g., rm,
shutdown).

NOTE: If you wish to run a secure system, the directory /usr/lib/uucp
(or /etc/uucp) must not be in the WRITE
directory list (or it must be in the NOWRITE
list)! If users from the outside are allowed to transfer into these
directories, they can change the Permissions
file to allow them to execute any command that they wish. Similarly,
local users can use the uucp command to change
these files, and then subvert UUCP. Giving all
access from the / directory is also dangerous - as
such, people outside your organization can subvert your system easily.
Furthermore, the home directory for the uucp
user should not be in the /
usr/spool/uucp/uucppublic
directory, or in any other directory that can be written to by a
uucp user. Doing so allows an outside user
to subvert the system.

# /usr/lib/uucp/uucheck -v
*** uucheck: Check Required Files and Directories
*** uucheck: Directories Check Complete
*** uucheck: Check /etc/uucp/Permissions file
** LOGNAME PHASE (when they call us)
When a system logs in as: (Ugarp)
We DO NOT allow them to request files.
We WILL send files queued for them on this call.
They can send files to
/usr/spool/uucppublic
/usr/tmp
Sent files will be created in /var/spool/uucp
before they are copied to the target directory.
Myname for the conversation will be sun.
PUBDIR for the conversation will be /usr/spool/uucppublic.
** MACHINE PHASE (when we call or execute their uux requests)
When we call system(s): (garp)
We DO NOT allow them to request files.
They can send files to
/usr/spool/uucppublic
/usr/tmp
Sent files will be created in /var/spool/uucp
before they are copied to the target directory.
Myname for the conversation will be sun.
PUBDIR for the conversation will be /usr/spool/uucppublic.
Machine(s): (garp)
CAN execute the following commands:
command (rmail), fullname (rmail)
command (rnews), fullname (rnews)
command (uucp), fullname (uucp)
*** uucheck: /etc/uucp/Permissions Check Complete
#